Europe Sets the Standard – Other Regions Follow
The Ibero-American Data Protection Network (“network”) adopted “Standards for Personal Data Protection for Ibero-American States“ (“SPDP”) on June 20, 2017 at its meeting in Santiago, Chile, with the official English translation now available. Most data protection experts have predicted that the adequacy provisions of the European General Data Protection Regulation would drive a re-think of national data protection laws in other regions. The network document is the initial, but not last, evidence that Europe is indeed driving the new legislative environment. In fact, the standards recital 8 explicitly acknowledges the EU GDPR as an influence.
The standard is intended to drive reform where legislation already exists, and be a model for legislation for Latin countries without existing laws. It is not current law in the region.
There are differences between the network document and GDPR, but the differences are not as significant as the similarity in tone. For example, the network SPDP describes nine permissions to process personal data, while the GDPR has six legal bases to process. However, the difference is greater clarity on the ability to use data related to a court order or in the public interest. There are also differences related to the use of the term responsible party as a substitute for accountability. Accountability is a term not well defined in Spanish or Portuguese. Lastly, data transfer guidance is more nuanced in the network standard.
The standard creates flexibility for big data in that it includes legitimate interests as one of the permissions for processing personal data, requiring a balancing assessment that is similar to Europe. It also explicitly recognizes research and statistical analysis as a compatible uses of data. This flexibility is specifically mentioned in recital 10 that states “Becoming a pressing fact within the framework of constant technological innovation, the adoption of regulatory instruments that guarantee, on the one hand, the protection of the individuals regarding the treatment of their personal data, that is currently the base for development, strengthening and exchange of goods and services in a global and digital economy, over which the economies of the Ibero-American states are built.” This is a significant change for legal systems where permissions to process have almost completely relied on individual consent.
The impact of the standard will be long-term. Argentina data protection authority has conducted the initial ground work for revising its data protection law, and Brazil continues its legislative process. INAI, the Mexican authority, held the pen during the development of the standard. The Uruguay authority has also expressed an interest in flexibility concepts that are part of the standard. However, legislating takes time, and every state in Latin America has other competing interests. So, legislating will take time.
The question of compatible systems is very much alive in other regions. Europe has expressed explicit interest in both Japan and South Korea. New Zealand and Canada will bother consider whether their adequacy findings are in jeopardy.
Bottom-line is that businesses in all regions need to begin considering how they would comply with many of the core obligations that are contained in this next generation of privacy law.